[Freeipa-users] authentication failing
I've got a system that is not authenticating to our freeIPA instance. I get the following messages on the client: Apr 8 10:14:52 host sssd[be[my.com]]: dereference processing failed : Invalid argumentApr 8 10:14:52 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr 8 10:14:58 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr 8 10:14:58 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr 8 10:16:17 host sssd[be[my.com]]]: dereference processing failed : Invalid argumentApr 8 10:16:17 host sssd[be[my.com]]]: dereference processing failed : Invalid argument[root@host log]# less /var/log/messages Not sure what other information would be helpful in troubleshooting. But where do we start troubleshooting if more logs are required? Thanks-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 7 replica installation failing
From: Petr Vobornik <pvobo...@redhat.com> To: John Williams <john.1...@yahoo.com>; "Freeipa-users@redhat.com" <Freeipa-users@redhat.com> Sent: Thursday, April 7, 2016 8:01 AM Subject: Re: [Freeipa-users] CentOS 7 replica installation failing On 04/07/2016 01:34 PM, John Williams wrote: > > > > *From:* Petr Vobornik <pvobo...@redhat.com> > *To:* John Williams <john.1...@yahoo.com>; "Freeipa-users@redhat.com" > <Freeipa-users@redhat.com> > *Sent:* Thursday, April 7, 2016 7:11 AM > *Subject:* Re: [Freeipa-users] CentOS 7 replica installation failing > > On 04/07/2016 06:12 AM, John Williams wrote: > > I've setup an initial FreeIPA instance on a CentOS 7 host. The install >went > > without a hitch. I can login to the GUI with no problems. However, I am >not > > able to install the replica on another CentOS 7 host. I get the following > errors: > > > > [root@ipa2 <mailto:root@ipa2> ~]# ipa-replica-install --setup-ca >--setup-dns > --no-forwarders > > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck > > It was run with '--skip-conncheck'. Is there a reason? If you remove it, > what does it complain about? > > In general, using --skip-conncheck should be avoided because it may hide > errors. > > You could also check master server > /var/log/dirsrv/slapd-your-instance/access and errors logs if there is > some connection attempt from the replica visible. > > And maybe /var/log/ipareplica-install.log contains more info. > > I ran the skip connections, because when I ran it initially without the skip > connections, I got the following messages: > > The following UDP ports could not be verified as open: 88, 464 > This can happen if they are already bound to an application > and ipa-replica-conncheck cannot attach own UDP responder. > > Remote master check failed with following error message(s): > Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of > known hosts. > Could not chdir to home directory /home/admin: No such file or directory > Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 > (TCP), 80 (TCP), 443 (TCP) > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Connection check > failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > There is nothing blocking the connections, and the initial IPA server seems > to > be working fine. > > Here are some snippets from the log: > > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", > > line 525, in install_check > options.setup_ca, config.ca_ds_port, options.admin_password) > File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 91, in replica_conn_check > "\nIf the check results are not valid it can be skipped with > --skip-conncheck parameter.") > > 2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: > SystemExit: Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > 2016-04-07T11:30:06Z ERROR Connection check failed! > Please fix your network settings according to error messages above. > If the check results are not valid it can be skipped with --skip-conncheck > parameter. > > Here are some more logs: > > [root@ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.log > Could not chdir to home directory /home/admin: No such file or directory > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype e...@openssh.com reply 0 > debug1: channel 0: free: client-session, nchannels 1 > debug1: fd 1 clearing O_NONBLOCK > debug1: fd 2 clearing O_NONBLOCK > Transferred: sent 3032, received 2584 bytes, in 0.0 seconds > Bytes per second: sent 131062.5, received 111697.1 > debug1: Exit status 0 > > 2016-04-07T11:30:02Z DEBUG Starting external process > 2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o > UserKnownHostsFile=/tmp/tmpCbCb50' 'ad...@ipa1.nrln.us' > '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us' > 2016-04-07T11:30:05Z DEBUG Process finished, return code=1 > 2016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote > replica > 'ipa2.nrln.us': > Directory Service: Unsecu
Re: [Freeipa-users] CentOS 7 replica installation failing
From: Petr Vobornik <pvobo...@redhat.com> To: John Williams <john.1...@yahoo.com>; "Freeipa-users@redhat.com" <Freeipa-users@redhat.com> Sent: Thursday, April 7, 2016 7:11 AM Subject: Re: [Freeipa-users] CentOS 7 replica installation failing On 04/07/2016 06:12 AM, John Williams wrote: > I've setup an initial FreeIPA instance on a CentOS 7 host. The install went > without a hitch. I can login to the GUI with no problems. However, I am not > able to install the replica on another CentOS 7 host. I get the following > errors: > > [root@ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders > /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheck It was run with '--skip-conncheck'. Is there a reason? If you remove it, what does it complain about? In general, using --skip-conncheck should be avoided because it may hide errors. You could also check master server /var/log/dirsrv/slapd-your-instance/access and errors logs if there is some connection attempt from the replica visible. And maybe /var/log/ipareplica-install.log contains more info. I ran the skip connections, because when I ran it initially without the skip connections, I got the following messages: The following UDP ports could not be verified as open: 88, 464This can happen if they are already bound to an applicationand ipa-replica-conncheck cannot attach own UDP responder. Remote master check failed with following error message(s):Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.Could not chdir to home directory /home/admin: No such file or directoryPort check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP) ipa.ipapython.install.cli.install_tool(Replica): ERROR Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter. There is nothing blocking the connections, and the initial IPA server seems to be working fine. Here are some snippets from the log: File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 525, in install_check options.setup_ca, config.ca_ds_port, options.admin_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 91, in replica_conn_check "\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.") 2016-04-07T11:30:06Z DEBUG The ipa-replica-install command failed, exception: SystemExit: Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter.2016-04-07T11:30:06Z ERROR Connection check failed!Please fix your network settings according to error messages above.If the check results are not valid it can be skipped with --skip-conncheck parameter. Here are some more logs: [root@ipa2 ~]# tail -30 /var/log/ipareplica-conncheck.logCould not chdir to home directory /home/admin: No such file or directorydebug1: client_input_channel_req: channel 0 rtype exit-status reply 0debug1: client_input_channel_req: channel 0 rtype e...@openssh.com reply 0debug1: channel 0: free: client-session, nchannels 1debug1: fd 1 clearing O_NONBLOCKdebug1: fd 2 clearing O_NONBLOCKTransferred: sent 3032, received 2584 bytes, in 0.0 secondsBytes per second: sent 131062.5, received 111697.1debug1: Exit status 0 2016-04-07T11:30:02Z DEBUG Starting external process2016-04-07T11:30:02Z DEBUG args='/bin/ssh' '-o StrictHostKeychecking=no' '-o UserKnownHostsFile=/tmp/tmpCbCb50' 'ad...@ipa1.nrln.us' '/usr/sbin/ipa-replica-conncheck --replica ipa2.nrln.us'2016-04-07T11:30:05Z DEBUG Process finished, return code=12016-04-07T11:30:05Z DEBUG stdout=Check connection from master to remote replica 'ipa2.nrln.us': Directory Service: Unsecure port (389): FAILED Directory Service: Secure port (636): FAILED Kerberos KDC: TCP (88): FAILED Kerberos KDC: UDP (88): WARNING Kerberos Kpasswd: TCP (464): FAILED Kerberos Kpasswd: UDP (464): WARNING HTTP Server: Unsecure port (80): FAILED HTTP Server: Secure port (443): FAILEDThe following UDP ports could not be verified as open: 88, 464This can happen if they are already bound to an applicationand ipa-replica-conncheck cannot attach own UDP responder. 2016-04-07T11:30:05Z DEBUG stderr=Warning: Permanently added 'ipa1.nrln.us,192.168.1.38' (ECDSA) to the list of known hosts.Could not chdir to home directory /home/admin: No such file or directoryPort check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP) These two hosts are on the same subnet, nor firewall, or IPTables running. That's why the error message confusing. Any suggestions? > WARNING: conflicting time synchronization serv
Re: [Freeipa-users] CentOS 7 replica installation failing
I've setup an initial FreeIPA instance on a CentOS 7 host. The install went without a hitch. I can login to the GUI with no problems. However, I am not able to install the replica on another CentOS 7 host. I get the following errors: [root@ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheckWARNING: conflicting time synchronization service 'chronyd' willbe disabled in favor of ntpd Directory Manager (existing master) password: Existing BIND configuration detected, overwrite? [no]: yesUsing reverse zone(s) 1.168.192.in-addr.arpa.Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpdDone configuring NTP daemon (ntpd).Configuring directory server (dirsrv). Estimated time: 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: configure dirsrv ccache [22/38]: enable SASL mapping fallback [23/38]: restarting directory server [24/38]: setting up initial replicationStarting replication, please wait until this has completed. [ipa1.nrln.us] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] [error] RuntimeError: Failed to start replicationYour system may be partly configured.Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start replication The error message is misleading. The two hosts sit on the same subnet. All firewalls are off. Selinux is disabled. Here is an nmap port scan from the replica to the master: [root@ipa2 ~]# nmap ipa1 Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDTNmap scan report for ipa1 (192.168.1.38)Host is up (0.86s latency).rDNS record for 192.168.1.38: ipa1.nrln.usNot shown: 990 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http88/tcp open kerberos-sec389/tcp open ldap443/tcp open https464/tcp open kpasswd5636/tcp open ldapssl749/tcp open kerberos-adm8080/tcp open http-proxy8443/tcp open https-altMAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds[root@ipa2 ~]# Why do I get this message? TIA!! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] CentOS 7 replica installation failing
I've setup an initial FreeIPA instance on a CentOS 7 host. The install went without a hitch. I can login to the GUI with no problems. However, I am not able to install the replica on another CentOS 7 host. I get the following errors: [root@ipa2 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-ipa2.nrln.us.gpg --skip-conncheckWARNING: conflicting time synchronization service 'chronyd' willbe disabled in favor of ntpd Directory Manager (existing master) password: Existing BIND configuration detected, overwrite? [no]: yesUsing reverse zone(s) 1.168.192.in-addr.arpa.Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpdDone configuring NTP daemon (ntpd).Configuring directory server (dirsrv). Estimated time: 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: configure dirsrv ccache [22/38]: enable SASL mapping fallback [23/38]: restarting directory server [24/38]: setting up initial replicationStarting replication, please wait until this has completed. [ipa1.nrln.us] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] [error] RuntimeError: Failed to start replicationYour system may be partly configured.Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR Failed to start replication The error message is misleading. The two hosts sit on the same subnet. All firewalls are off. Selinux is disabled. Here is an nmap port scan from the replica to the master: [root@ipa2 ~]# nmap ipa1 Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-07 00:12 EDTNmap scan report for ipa1 (192.168.1.38)Host is up (0.86s latency).rDNS record for 192.168.1.38: ipa1.nrln.usNot shown: 990 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http88/tcp open kerberos-sec389/tcp open ldap443/tcp open https464/tcp open kpasswd5636/tcp open ldapssl749/tcp open kerberos-adm8080/tcp open http-proxy8443/tcp open https-altMAC Address: 52:54:00:33:34:F0 (QEMU Virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds[root@ipa2 ~]# Why do I get this message? TIA!!-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA sporadic behavior
I've got some sporadic behavior on my IPA instance and I'm hoping someone can help me resolve the issue. The problem is that many times my clients cannot authenticate to the respective hosts. First, my environment. Some details: ipa2 - centos 6.3 - ipa server 3.0.0ipa3 - centos 7.1 - ipa server 4.1.0 We had a FreeIPA server host ipa1 that died some time ago. I do not have any details on that host. Again, the problem is that clients cannot authenticate very frequently. Here are some examples of the problems I am having: I client can login to the console of a CentOS 6.7 host, but cannot SSH into it. One user can login to a host, but another user cannot. Some diagnostics information: Services running on IPA servers: [root@ipa2 ~]# ps -ef | grep krbroot 6007 5936 0 19:21 pts/5 00:00:00 grep krbroot 22339 1 0 Feb06 ? 00:00:00 /usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2root 22344 22339 0 Feb06 ? 00:42:56 /usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2root 22345 22339 0 Feb06 ? 00:42:50 /usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2 [root@ipa3 ~]# ps -ef | grep krbroot 2513 1 0 2015 ? 00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root 2514 2513 0 2015 ? 00:01:20 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root 2515 2513 0 2015 ? 00:01:18 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root 5702 5609 0 19:20 pts/1 00:00:00 grep --color=auto krb slapd is running on both servers: [root@ipa3 ~]# ps -ef | grep slapddirsrv 2464 1 0 2015 ? 09:39:37 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IDEF -i /var/run/dirsrv/slapd-IDEF.pid -w /var/run/dirsrv/slapd-IDEF.startpidroot 5707 5609 0 19:25 pts/1 00:00:00 grep --color=auto slapd[root@ipa3 ~]# [root@ipa2 ~]# ps -ef | grep slapdroot 6024 5936 0 19:26 pts/5 00:00:00 grep slapddirsrv 22137 1 3 Feb06 ? 1-20:48:55 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-AAA -i /var/run/dirsrv/slapd-AAA .pid -w /var/run/dirsrv/slapd-AAA .startpidpkisrv 22209 1 0 Feb06 ? 00:44:54 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid[root@ipa2 ~]# System time is synchronized across all hosts. For DNS, I have the following entries: [root@sharedone ~]# dig ipa.BBB.AAA +short192.168.120.253[root@sharedone ~]# dig ipa2.BBB.AAA +short192.168.120.253[root@sharedone ~]# dig ipa3.BBB.AAA +short192.168.120.139[root@sharedone ~]# Now the ipa.AAA.AAA server does not exist anymore because it died. But if I remove that DNS entrey everything stops working and no one can authenticate, versus the sporadic issues we are having. If you need more detials or specific information, please let me know. I'm at a loss as to what causes this behavior. Thanks, JT-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] adding freeipa client fails
(Not sure if this message went through initially, this is a resend.) I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's failing. Here is somebackground information. We lost (RIP) our main IPA server ipa.mydomain.com a while ago, but we were able to fail over to a replica called ipa2. Since then we've built a redundant ipa3.mydomain.com replica. Since then all the systems that were there previously work fine. But adding new IPA hosts fail. The main error below (I believe) is: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Any idea how to fix? Thanks in advance! root@myhost:~# ipa-client-install -N --hostname myhost.mydomain.com --mkhomedirDNS domain 'COM' is not configured for automatic KDC address lookup.KDC address will be set to fixed value.Discovery was successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA Server: ipa.mydomain.comBaseDN: dc=COM Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin@COM: Unable to download CA cert from LDAP.Do you want to download the CA cert from http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully retrieved CA cert Subject: CN=Certificate Authority,O=COM Issuer: CN=Certificate Authority,O=COM Valid From: Thu Apr 04 23:20:27 2013 UTC Valid Until: Mon Apr 04 23:20:27 2033 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Installation failed. Rolling back changes.certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'Disabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf manually, as it can cause subsequent installation to fail.Client uninstall complete.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] adding freeipa client fails
I'm trying to add a freeIPA client on a Ubuntu 14.04.02 Version and it's failing. Here is somebackground information. We lost (RIP) our main IPA server ipa.mydomain.com a while ago, but we were able to fail over to a replica called ipa2. Since then we've built a redundant ipa3.mydomain.com replica. Since then all the systems that were there previously work fine. But adding new IPA hosts fail. The main error below (I believe) is: Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Any idea how to fix? Thanks in advance! root@myhost:~# ipa-client-install -N --hostname myhost.mydomain.com --mkhomedirDNS domain 'COM' is not configured for automatic KDC address lookup.KDC address will be set to fixed value.Discovery was successful!Hostname: myhost.mydomain.comRealm: COMDNS Domain: mydomain.comIPA Server: ipa.mydomain.comBaseDN: dc=COM Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.Password for admin@COM: Unable to download CA cert from LDAP.Do you want to download the CA cert from http://ipa.mydomain.com/ipa/config/ca.crt?(this is INSECURE) [no]: yesDownloading the CA certificate via HTTP, this is INSECURESuccessfully retrieved CA cert Subject: CN=Certificate Authority,O=COM Issuer: CN=Certificate Authority,O=COM Valid From: Thu Apr 04 23:20:27 2013 UTC Valid Until: Mon Apr 04 23:20:27 2033 UTC Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: SSL: certificate subject name 'ipa2.mydomain.com' does not match target host name 'ipa.mydomain.com' Installation failed. Rolling back changes.certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'Disabling client Kerberos and LDAP configurationsRedundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deletedSSSD service could not be stoppedRestoring client configuration filesnscd daemon is not installed, skip configurationnslcd daemon is not installed, skip configuration/etc/ipa/default.conf could not be removed: [Errno 2] No such file or directory: '/etc/ipa/default.conf'Please remove /etc/ipa/default.conf manually, as it can cause subsequent installation to fail.Client uninstall complete.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] User Can't Authenticate
I've got a freeIPA client where a user account cannot authenticate. The log entry for IPA looks like: audit/audit.log.4:type=USER_AUTH msg=audit(1425316592.375:38090): user pid=16485 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=aswanda exe=/usr/sbin/sshd hostname=172.31.0.162 addr=172.31.0.162 terminal=ssh res=failed' When I try to sudo to the user account, I get the following error: [root@myhost ~]# sudo su - testusersu: user testuser does not exist However, all that works for my account. Please help. Thanks in advance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Expired Certs
You are going way to far back in time AFAICT. The certs expired on April 5 of this year so you don't need to go back to 2014. Just go back to April 3 or 4. You'll also need to restart IPA before kicking certmonger ipactl restart rob *** SNIP *** Thanks!! Following your advice, it looks like only one of the eight certificates are now monitoring. Check out the following: [root@ipa ~]# getcert list | grep -A1 status status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: MONITORING ca-error: Server at https://ipa.infra.idef/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: hostname in subject of request 'ipa.infra.idef' does not match principal hostname 'ipa'). How can I get the remaining certs fixed as well? Thanks in advance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Expired Certs
[ snip ] [root@ipa ~]# date Thu Apr 10 00:13:51 EDT 2014 [root@ipa ~]# /etc/init.d/certmonger restart Stopping certmonger: [ OK ] Starting certmonger: [ OK ] [root@ipa ~]# You are going way to far back in time AFAICT. The certs expired on April 5 of this year so you don't need to go back to 2014. Just go back to April 3 or 4. You'll also need to restart IPA before kicking certmonger ipactl restart rob Thanks Rob, Following your advice, it looks like only one of the eight certificates are now monitoring. Check out the following: [root@ipa ~]# getcert list | grep -A1 status status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: MONITORING ca-error: Server at https://ipa.infra.idef/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: hostname in subject of request 'ipa.infra.idef' does not match principal hostname 'ipa'). How can I get the remaining certs fixed as well? Thanks in advance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Expired Certs
I've inhereted an IPA infrastructure for a group in my organization. So I've got a RHEL instance with a IPA 3.0.0 server with expired certs. [root@ipa ~]# rpm -qa | grep ipa-serveripa-server-selinux-3.0.0-26.el6_4.2.x86_64ipa-server-3.0.0-26.el6_4.2.x86_64[root@ipa ~]# [root@ipa ~]# getcert listNumber of certificates and requests being tracked: 8.Request ID '20130404232110': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=CA Audit,O=IDEF expires: 2017-02-15 19:26:38 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232111': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=OCSP Subsystem,O=IDEF expires: 2017-02-15 19:25:38 UTC eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232112': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=CA Subsystem,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232113': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=IPA RA,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232114': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232127': status: CA_UNREACHABLE ca-error: Error setting up ccache for host service on client using default keytab: Cannot contact any KDC for realm 'IDEF'. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IDEF/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2015-04-05 23:21:26 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232155': status: CA_UNREACHABLE ca-error: Error setting up ccache for host service on client using default keytab: Cannot contact any KDC for realm 'IDEF'. stuck: no key pair storage:
[Freeipa-users] Expired Certs on 3.0.0 IPA host
I'm looking at the following link for recovering expired certificates on FreeeIPA 3.0.0: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a subsystemCert I do not find one. I see the other three: auditSigningCert cert-pki-ca = updatedocspSigningCert cert-pki-ca = updatedServer-Cert cert-pki-ca = no cert heresubsystemCert cert-pki-ca = updated Has anyone ever run across this? Any suggestions or hints would be appreciated. If I role the clock back on my system I can login to IPA, but if the time is updated, I cannot login. Please help. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
